XML External Entity Vulnerability in VMware vRealize Orchestrator
CVE-2023-20855

8.8HIGH

Key Information:

Vendor: Vmware
Status: VMware vRealize Orchestrator, VMware vRealize Automation, VMware Cloud Foundation
Vendor: CVE Published:; 22 February 2023

Summary

VMware vRealize Orchestrator has an XML External Entity (XXE) vulnerability that allows a malicious individual with non-administrative access to exploit specially crafted XML input. This could lead to unauthorized access to sensitive information and potentially allow the attacker to escalate their privileges within the system.

Affected Version(s)

VMware vRealize Orchestrator, VMware vRealize Automation, VMware Cloud Foundation VMware vRealize Orchestrator 8.x

References

https://www.vmware.com/security/advisories/VMSA-2023-0005...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 22, 2023
Vulnerability Reserved
Nov 1, 2022